US11818150B2ActiveUtilityA1
System and methods for detecting and mitigating golden SAML attacks against federated services
Est. expiryOct 28, 2035(~9.3 yrs left)· nominal 20-yr term from priority
Inventors:Randy ClaytonJason CrabtreeLuka JurukovskiRichard KelleyAngadbir SalariaAndrew SellersFarooq Shaikh
H04L 63/1416H04L 63/0876H04L 63/1425H04L 63/1466H04L 9/3239H04L 63/0815H04L 63/1433H04L 63/126
74
PatentIndex Score
0
Cited by
39
References
12
Claims
Abstract
A system and methods for detecting and mitigating golden SAML attacks against federated services is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to create a security cookie for each valid authentication session; wherein subsequent access requests accompanied by authentication objects are validated by checking for a valid security cookie.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A system for detecting and mitigating golden Security Assertion Markup Language (SAML) attacks against federated services, comprising:
a computing device comprising a memory and a processor;
an authentication object inspector comprising a first plurality of programming instructions stored in the memory which, when operating on the processor, causes the computing device to:
receive network traffic comprising a plurality of network packets, the plurality of network packets comprising a first authentication object for a user of a federated service, the first authentication object comprising a first identification string known to be generated by an identity provider associated with the federated service;
store a record of the first authentication object, with attached metadata comprising a timestamp of when the first authentication object was received, in a time-series database;
generate a security cookie for the first authentication object;
provide the security cookie to the identity provider from which the first authentication object was generated for inclusion in additional authentication objects issued to the user;
receive a request for access to the federated service by the user accompanied by a second authentication object comprising a second identification string and the security cookie;
compare a value of the second identification string of the second authentication object against a value of the second identification string of the stored record of the first authentication object;
check the second authentication object for the security cookie; and
generate an authentication failure if the security cookie is missing or invalid.
2. The system of claim 1 , further comprising a hashing engine comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the second plurality of programmable instructions, when operating on the processor, cause the computing device to:
receive authentication objects from the authentication object inspector;
calculate security cookies for authentication objects received by performing a plurality of calculations and transformations on each authentication object received; and
return the security cookies for authentication objects received to the authentication object inspector.
3. The system of claim 1 , wherein the authentication object inspector is operated by the identity provider.
4. The system of claim 2 , wherein the authentication object inspector is operated by the identity provider.
5. The system of claim 1 , wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network.
6. The system of claim 2 , wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network.
7. A method for detecting and mitigating golden Security Assertion Markup Language (SAML) attacks against federated services, comprising:
using an authentication object inspector operating on a computing device comprising a memory and a processor to:
receive network traffic comprising a plurality of network packets, the plurality of network packets comprising a first authentication object for a user of a federated service, the first authentication object comprising a first identification string known to be generated by an identity provider associated with the federated service;
store a record of the first authentication object, with attached metadata comprising a timestamp of when the first authentication object was received, in a time-series database;
generate a security cookie for the first authentication object;
provide the security cookie to the identity provider from which the first authentication object was generated for inclusion in additional authentication objects issued to the user;
receive a request for access to the federated service by the user accompanied by a second authentication object comprising a second identification string and the security cookie;
compare a value of the second identification string of the second authentication object against a value of the second identification string of the stored record of the first authentication object;
check the second authentication object for the security cookie; and
generate an authentication failure if the security cookie is missing or invalid.
8. The method of claim 7 , further comprising the steps of:
using a hashing engine operating on a computing device comprising a memory and a processor to:
receive authentication objects from the authentication object inspector;
calculate security cookies for authentication objects received by performing a plurality of calculations and transformations on each authentication object received; and
return the security cookies for authentication objects received to the authentication object inspector.
9. The method of claim 7 , wherein the authentication object inspector is operated by the identity provider.
10. The method of claim 8 , wherein the authentication object inspector is operated by the identity provider.
11. The method of claim 7 , wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network.
12. The method of claim 8 , wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.